Sub-processors
Last Updated: May 2026
Overview
Legistry AI uses third-party service providers (sub-processors) to deliver the Service. This page lists every sub-processor that may process customer personal data, as required under Article 28 of the EU General Data Protection Regulation and equivalent provisions of similar laws.
Each sub-processor operates under a Data Processing Agreement with Legistry AI containing contractual safeguards consistent with our obligations to customers under our own DPA.
Notification of changes
We give customers at least 30 days' advance notice of material changes to this list. Customers under an active DPA may object to a new sub-processor by contacting us at privacy@legistry.ai within the notice period.
Current sub-processors
| Provider | Service | Region | Legal |
|---|---|---|---|
Supabase Database, authentication, file storage | Storing organization and user data, contracts, audit logs, and signed documents. | United States (us-east) | PrivacyDPA |
OpenAI AI contract analysis and drafting | Generating contract drafts, risk analysis, clause extraction. Customer content is PII-redacted before transmission. Configured with zero-retention so prompts and completions are not used for training. | United States | PrivacyDPA |
Anthropic AI fallback for legal analysis | Used when the primary AI provider is unavailable or for tasks requiring premium model accuracy. Customer content is PII-redacted before transmission. | United States | PrivacyDPA |
Perplexity Real-time regulatory and vendor research | Live web research used for compliance scanning and vendor due diligence. Only public web content is fetched; customer contracts are not transmitted. | United States | PrivacyDPA |
Resend Transactional email delivery | Delivering signature requests, account notifications, and password resets. | United States | PrivacyDPA |
Qdrant Semantic search index | Storing vector embeddings of contracts and uploaded documents to power RAG-based AI features. | United States | PrivacyDPA |
Cloudflare DDoS protection and content delivery | Edge caching for the marketing site, DDoS mitigation, TLS termination. | Global edge network | PrivacyDPA |
Sentry Error monitoring | Capturing runtime errors and performance traces. PII is filtered before transmission. | United States | PrivacyDPA |
Stripe Payment processing (when active) | Processing subscription billing. We do not store full payment card numbers; only Stripe customer IDs and last-four digits. | United States, Ireland | PrivacyDPA |
Data transfer safeguards
Where customer personal data is transferred outside the European Economic Area, the United Kingdom, or Switzerland, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission and supplementary technical and organizational measures, including:
- Encryption in transit (TLS 1.2+) and at rest (AES-256)
- Automatic PII redaction before transmission to AI providers
- Restricted access controls and audit logging on all data stores
- Sub-processor selection criteria including current SOC 2 or ISO 27001 certifications
Contact
Questions about our sub-processors or data protection practices? Email privacy@legistry.ai.